A Russian hacking group reportedly engaged in the largest known cyberattack by amassing over 1.2 billion unique sets of usernames and passwords and 500 million email addresses from more than 420,000 web and FTP sites. The attack was uncovered by Hold Security, an information security company based in Milwaukee, which has been investigating the attack for several months. Various news reports have confirmed the company’s findings. Among the victims are “leaders in virtually all industries across the world,” including “the auto industry, real estate, oil companies, consulting firms, car rental businesses, hotels, computer hardware and software firms and the food industry,” but Hold Security is not naming specific victims. The security firm intends to reach out to individual victims confidentially. The Russian hackers reportedly utilized a hacking technique known as a SQL injection, which exploits a security vulnerability in an application’s software to inject malicious code.

Companies that are victims of the cyberattack that collect information from California and Florida residents may have an obligation under those state data breach notification laws to notify affected individuals and government agencies. In California and Florida, personally identifiable information includes an email address or username in combination with a password, among other data elements. If consumer usernames or email addresses and passwords were stolen by the Russian hackers, companies that collect that information from California or Florida residents may have a duty to notify the consumers and report the breach to government authorities.

Data, Privacy & Security Practice Group
August 21, 2014
Russian Hackers Stockpile Over 1 Billion Internet
Credentials
Industry Leaders Across All Sectors Likely Impacted
A Russian hacking group reportedly engaged in the largest known
cyberattack by amassing over 1.2 billion unique sets of usernames and
passwords and 500 million email addresses from more than 420,000 web
and FTP sites. The attack was uncovered by Hold Security, an information
security company based in Milwaukee, which has been investigating the
attack for several months. Various news reports have confirmed the
company’s findings.1 Among the victims are “leaders in virtually all
industries across the world,”2 including “the auto industry, real estate, oil
companies, consulting firms, car rental businesses, hotels, computer
hardware and software firms and the food industry,” but Hold Security is
not naming specific victims.3 The security firm intends to reach out to
individual victims confidentially.4 The Russian hackers reportedly utilized
a hacking technique known as a SQL injection, which exploits a security
vulnerability in an application’s software to inject malicious code.5
Companies that are victims of the cyberattack that collect information from
California and Florida residents may have an obligation under those state
data breach notification laws to notify affected individuals and government
agencies. In California and Florida, personally identifiable information
includes an email address or username in combination with a password,
among other data elements. If consumer usernames or email addresses and
passwords were stolen by the Russian hackers, companies that collect that
information from California or Florida residents may have a duty to notify
the consumers and report the breach to government authorities.
In addition, even the state data breach notification laws that do not define
personal information to include usernames and passwords may be
implicated if there is evidence that the hackers use the stolen usernames and
passwords to gain access to a consumer’s account and are able to obtain
additional personal identifying information about the consumer from the
website. For example, the hackers could use the login information to gain
access to the user’s account information, including potentially the
consumer’s name, date of birth, address or account numbers. Although
there are no reports that the hackers have used the username and password
information to gain access to additional personal identifying information
For more information, contact:
Phyllis B. Sumner
+1 404 572 4799
psumner@kslaw.com
Sarah E. Statz
+1 404 572 2813
sstatz@kslaw.com
Elizabeth K. Hinson
+1 404 572 2714
bhinson@kslaw.com
King & Spalding
Atlanta
1180 Peachtree Street, NE
Atlanta, Georgia 30309-3521
Tel: +1 404 572 4600
Fax: +1 404 572 5100
www.kslaw.com
available on the websites, if that activity is suspected, entities may have an obligation under state data breach laws to
notify consumers.
This massive attack highlights the need for increased website security across all industries. Companies should no
longer rely on “trusted” web applications to adequately protect their information. Instead, companies should focus on
implementing their own network defenses. Website managers should immediately start testing their sites for
intrusions and update any patches available for their web servers, database servers, and applications. Clients should
also contact third-party service providers to ensure that those vendors are monitoring for fraud and updating any
security patches. Clients should take proactive measures immediately, such as performing a risk analysis to assess
potential risks to the personally identifiable information they collect and maintain. Clients should ensure that they
collect only data that is necessary and adopt technical measures to protect data, including encryption or suitable
hashing mechanism. Clients should also update privacy policies and procedures, and implement procedures to
identify and respond to breach events.
King & Spalding’s Data, Privacy and Security Practice
King & Spalding is particularly well equipped to assist clients in the area of privacy and information security law.
Our Data, Privacy & Security Practice regularly advises clients regarding the myriad statutory and regulatory
requirements that businesses face when handling personal customer information and other sensitive information in the
U.S. and globally. This often involves assisting clients in developing comprehensive privacy and data security
programs, responding to data security breaches, complying with breach notification laws, avoiding potential litigation
arising out of internal and external data security breaches, defending litigation, whether class actions brought by those
affected by data breaches, third party suits, or government actions, and handling both state and federal government
investigations and enforcement actions.
With more than 30 Data, Privacy & Security lawyers in offices across the United States, Europe and the Middle East,
King & Spalding is able to provide substantive expertise and collaborative support to clients across a wide spectrum
of industries and jurisdictions facing privacy-based legal concerns. We apply a multidisciplinary approach to such
issues, bringing together attorneys with backgrounds in corporate governance and transactions, healthcare, intellectual
property rights, complex civil litigation, e-discovery, government investigations, government advocacy, insurance
recovery, and public policy.
* * *
Celebrating more than 125 years of service, King & Spalding is an international law firm that represents a broad array of clients, including half of the Fortune
Global 100, with 800 lawyers in 17 offices in the United States, Europe, the Middle East and Asia. The firm has handled matters in over 160 countries on six
continents and is consistently recognized for the results it obtains, uncompromising commitment to quality and dedication to understanding the business and
culture of its clients. More information is available at www.kslaw.com.
This alert provides a general summary of recent legal developments. It is not intended to be and should not be relied upon as legal advice. In some jurisdictions,
this may be considered “Attorney Advertising.”
1 See Press Release, “You Have Been Hacked!”, available at http://www.holdsecurity.com/news/cybervor-breach/; see also Nicole
Perlroth & David Gelles, Russian Hackers Amass Over a Billion Internet Passwords, N.Y. TIMES (Aug. 5, 2014), available at
http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-
credentials.html?_r=0; Danny Yadron, Russian Hackers Steal 1.2 Billion Usernames and Passwords, Security Firm Says, WALL ST.
J. DIGITS BLOG (Aug. 5, 2014 8:43 PM), available at http://blogs.wsj.com/digits/2014/08/05/security-firm-russian-hackers-amassed-
1-2-billion-web-credentials/.
2 See Press Release, supra.
2 of 3
3 See Donna Leinwand Leger, Elizabeth Weise & Jessica Guynn, Russian Gang stole 1.2 billion Net passwords, USA TODAY (Aug.
5, 2014), available at http://www.usatoday.com/story/tech/personal/2014/08/05/russian-gang-stolen-passwords/13639285/.
4 See Press Release, supra.
5 See Nicole Perlroth & David Gelles, Russian Hackers Amass Over a Billion Internet Passwords, N.Y. TIMES (Aug. 5, 2014),
supra.
3 of 3

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

- hide

Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.